LastPass has further detailed the security breach which saw the password management company lose customer information and advise all customers to change their master password, as well as attempting to remedy issues some users had in doing so. Speaking to PCWorld, LastPass CEO Joe Siegrist confirmed that the names and passwords of up to “a couple hundred” users could have been taken, as well as their encrypted passwords; however, he also suggested that the company was “maybe too alarmist ourselves” and that the potential for misuse after the data breach was in fact low.
In addition to the encrypted passwords, the hackers are also believed to have taken the related “salt” for the password hashes. “Salt” is basically randomized information added to the password prior to encryption, making it harder to misuse if that encryption is subsequently broken, though if the hackers have the salting data then they would be able to strip that out.
“You can combine the user’s e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you’re potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website” Jow Siegrist, CEO, LastPass
LastPass has added an option for those with strong master passwords to opt out of the mandatory change, and has switched those yet to change their password into an “offline” mode to try to reduce load on the system. The rush of people wanting to make a password change had overloaded the servers; more information on the offline mode here.